@jimp said in TLS Error: Usually that means that some other client (not OpenVPN) hit the port. It might be a port scan, a monitoring probe, or a client that doesn't have the right TLS key for example. I think you are correct, as I just did a port scan, using one of the online tools, on port 1194 and the error appeared. Seems to confirm your thoughts. Thanks.

I used the VPN > OpenVPN > Wizards to create the entry in the Servers > OpenVPN Servers. I believe it also created the OpenVPN firewall rule. The OpenVPN firewall rule is an action: Pass, protocol: Any, source: Any, destination: Any. I thought maybe Suricata could be blocking the connection. I read a post that stated to use port 443 to bypass Suricata. I changed the OpenVPN Server to port 443 and the WAN firewall rule to action: Pass, protocol: UDP, source: Any, destination: WAN address, destination port range: 443, and I'm intermittently able to connect. I'm also observing when I am able to connect, and then I disconnect, and then try to reconnect, I'm having trouble reconnecting. Is there something else I may be missing by chance? Thank you.

@derelict GDG: problem writing to routing socket maybe here? A stupid question since it worked before without: do i have to bridge lan and "opt1 over opvns1"?

@derelict Yup, this was it. The routing even seems to work with my IPSEC tunnel still in place. If this was mentioned in the book, I must have read right over it!

@boxofrox Ah! <Sound of penny dropping, lightbulb turning on, forehead slap> Thank you, I forgot about the “certificate granting” part of a CA. What do you call it when you’re too young for a “senior moment” and too old for a rookie mistake? ;-) Salaam, kudos, thanks!

Hi. For Firewall rules: https://www.youtube.com/watch?v=UZR2LNBtzrw https://www.youtube.com/watch?v=OfZPOO2nu5g For OpenVPN, these tutorials are nice. https://www.youtube.com/watch?v=xiy52Hn5bTc

Thanks Pippin, so it appears as though it's not disconnecting after an hour... I've narrowed it down to the keepalive values in the server config. They are set to 10 and 60. I found this in the server.conf file under /var/etc I'd like to modify this line (keepalive 10 60) value, or remove it all together, but I don't want to create instability. Is it safe to do this via the shell or is there somewhere in the GUI I can do this?

what version of pfsense are you running - I thought there was a bug report about firewall rules created for openvpn being incorrect.. But that was corrected.. https://redmine.pfsense.org/issues/8391 But it was using tcp4 vs tcp.. I just ran through the wizard and created a new udp server and it did not create any rule.. It created correct UDP with port and ipv4 [image: 1527778650278-udpopenvpnwizard-resized.png] Running 2.4.3p1

@jimp It was my phase 2 enteries that were messed up! Thanks for the help all is working now.

I have the same behavior on my setup. What I have noticed is that it's actually related to the frequency that you issue the icmp requests. Interestingly enough, the sweet spot seems to be 1000ms between icmp requests (I tried numerous times) you actually get more packet loss if you do 2000ms... for example: ping -i 0.2 google.com 103 packets transmitted, 24 received, 76% packet loss, time 21443ms ping -i 0.25 google.com 55 packets transmitted, 17 received, 69% packet loss, time 13744ms ping -i 0.5 google.com 49 packets transmitted, 23 received, 53% packet loss, time 24100ms ping -i 0.75 google.com 51 packets transmitted, 29 received, 43% packet loss, time 37550ms ping -i 1 google.com 20 packets transmitted, 20 received, 0% packet loss, time 19026ms ping -i 2 google.com 20 packets transmitted, 17 received, 15% packet loss, time 38014ms